I was wondering if anyone knows of a way to bypass the sp6 SAM file protection - since the update [not sure which] protects the SAM file from being copied. Thanks
Printable View
I was wondering if anyone knows of a way to bypass the sp6 SAM file protection - since the update [not sure which] protects the SAM file from being copied. Thanks
Never really tried, but this link looks promising...
I hope you are doing this on your own box... I'd hate to be giving out info to someone with malicious intent. I have played around a lot on my own boxes, so I will give you the benefit of the doubt...
Link
quick quote
Quote:
ยง Obtaining the SAM\Password Hashes
Wow, how wonderful. Now we know where the goods are, and the problem is this...
"How do I get my hands on those hashes?" The answer is "One of four ways."
1) Probably the easiest way to do this is to boot your target machine to an
alternate OS like NTFSDOS or Linux and just copy the SAM from the
%systemroot%\system32\config folder. It's quick, it's easy, and it's effective.
You can get a copy of NTFSDOS from Sysinternals(http://www.sysinternals.com)
The regular version of NTFSDOS is freeware, which is always nice, but only allows
for Read-Only access. This should be fine for what you want to do, however, if
you're the kind of person that just has to have total control and has some money to
burn. NTFSDOS Pro, which is also by Sysinternals has read/write access but it'll
cost you $299.
2) Once again, you may be able to obtain the SAM from %systemroot%\repair if rdisk
has been run and you are lucky enough to have a sloppy admin.
3) You can also get password hashes by using pwdump2. pwdump uses .DLL injection in
order to use the system account to view the password hashes stored in the registry.
It then pulls the hashes from the registry and stores them in a handy little text
file that you can then import into a password cracking utility like l0phtcrack.
4) The final way to obtain password hashes is to listen directly to the network
traffic as it floats by your computer and grab hashes using the above mentioned
l0phtcrack.
check out this... there were many many more links
Maybe you should try to run rdisk, and then you'd have access to the back file?
Read on, it is all there...
***********************************
My question is...
How can you stop someone from doing this?
I guess you could disable booting to floppy/cd-rom, then lock the bios and put a lock on the case?
Any other ideas?
**************
I guess you could disable booting to floppy/cd-rom, then lock the bios and put a lock on the case?
*************
that seems to be a part of security that people don't take seriously enough. thay spend 15 thousand on a fire wall and 12.95 on a lock for the server room door...go figure.
the main door to our building is of the type you can push open from the inside when its locked. I showed them how it could be opened from the outside with a bent rod with the bend hammered flat...nadda. At least i got them to get solid locks for the server closet and their building a secure room (heavy ac, yes!) for the new rack servers.
hmmm well for us, we disabled booting from floppy and passworded the cmos for our workstations, and oh, we also have survalace cameras and a huge ass 1-way tinted glass window so we can see everything thats happening from the admin room and we have barred windows and motion detectors. and for our admin room. we also have a hidden camera, windows are barred, we have a motion detector incase no one is left in the room. so if someone tries to break in.. motion detectors will pick it up and sets off the alarm (also sends an SMS message to our mobile phones or pagers) and we have his/her arse on tape hehehe..